General
-
Target
Quotation.exe
-
Size
467KB
-
Sample
201109-cx962h1xz6
-
MD5
e1a68793a7d62a16837c95b2cc38da0e
-
SHA1
a239f2c748725a001efff71c5126af68f1bd9fc4
-
SHA256
d3ccfc7eefe685bc703f2975cde7560c851f7e28f8fac127baf54b24ede4ca91
-
SHA512
4d3b781ffe5dff71a4fb5a3f081b25c4efc625caf17b52c07c8e1d6a41028b7f38354b55acb0eb8a1b1bf231aa6feba602b25aae4075c932f23f6dab74e906ee
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.scandinavian-collection.com - Port:
587 - Username:
may@scandinavian-collection.com - Password:
kR6d.DFet#7w
Targets
-
-
Target
Quotation.exe
-
Size
467KB
-
MD5
e1a68793a7d62a16837c95b2cc38da0e
-
SHA1
a239f2c748725a001efff71c5126af68f1bd9fc4
-
SHA256
d3ccfc7eefe685bc703f2975cde7560c851f7e28f8fac127baf54b24ede4ca91
-
SHA512
4d3b781ffe5dff71a4fb5a3f081b25c4efc625caf17b52c07c8e1d6a41028b7f38354b55acb0eb8a1b1bf231aa6feba602b25aae4075c932f23f6dab74e906ee
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-